An Interpretation of the Library Bill of Rights
Privacy is essential to the exercise of free speech, free thought, and free association. The courts have established a First Amendment right to receive information in a publicly funded library.1 Further, the courts have upheld the right to privacy based on the Bill of Rights of the U.S. Constitution.2 Many states provide guarantees of privacy in their constitutions and statute law.3 Numerous decisions in case law have defined and extended rights to privacy.4
In a library (physical or virtual), the right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others. Confidentiality exists when a library is in possession of personally identifiable information about users and keeps that information private on their behalf.5 Confidentiality extends to “information sought or received and resources consulted, borrowed, acquired or transmitted” (ALA Code of Ethics), including, but not limited to: database search records, reference questions and interviews, circulation records, interlibrary loan records, information about materials downloaded or placed on “hold” or “reserve,” and other personally identifiable information about uses of library materials, programs, facilities, or services.
Protecting user privacy and confidentiality has long been an integral part of the mission of libraries. The ALA has affirmed a right to privacy since 1939.6 Existing ALA policies affirm that confidentiality is crucial to freedom of inquiry.7 Rights to privacy and confidentiality also are implicit in the Library Bill of Rights’ guarantee of free access to library resources for all users.8
Rights of Library Users
The Library Bill of Rights affirms the ethical imperative to provide unrestricted access to information and to guard against impediments to open inquiry. Article IV states: “Libraries should cooperate with all persons and groups concerned with resisting abridgement of free expression and free access to ideas.” When users recognize or fear that their privacy or confidentiality is compromised, true freedom of inquiry no longer exists.
In all areas of librarianship, best practice leaves the user in control of as many choices as possible. These include decisions about the selection of, access to, and use of information. Lack of privacy and confidentiality has a chilling effect on users’ choices. All users have a right to be free from any unreasonable intrusion into or surveillance of their lawful library use.
Users have the right to be informed what policies and procedures govern the amount and retention of personally identifiable information, why that information is necessary for the library, and what the user can do to maintain his or her privacy. Library users expect and in many places have a legal right to have their information protected and kept private and confidential by anyone with direct or indirect access to that information. In addition, Article V of the Library Bill of Rights states: “A person’s right to use a library should not be denied or abridged because of origin, age, background, or views.” This article precludes the use of profiling as a basis for any breach of privacy rights. Users have the right to use a library without any abridgement of privacy that may result from equating the subject of their inquiry with behavior.9
Responsibilities in Libraries
The library profession has a long-standing commitment to an ethic of facilitating, not monitoring, access to information. This commitment is implemented locally through the adoption of and adherence to library privacy policies that are consistent with applicable federal, state, and local law.
Everyone (paid or unpaid) who provides governance, administration or service in libraries has a responsibility to maintain an environment respectful and protective of the privacy of all users. Users have the responsibility to respect each others’ privacy.
For administrative purposes, librarians may establish appropriate time, place, and manner restrictions on the use of library resources.10 In keeping with this principle, the collection of personally identifiable information should only be a matter of routine or policy when necessary for the fulfillment of the mission of the library. Regardless of the technology used, everyone who collects or accesses personally identifiable information in any format has a legal and ethical obligation to protect confidentiality.
Libraries should not share personally identifiable user information with third parties or with vendors that provide resources and library services unless the library has obtained the permission of the user or has entered into a legal agreement with the vendor. Such agreements should stipulate that the library retains control of the information, that the information is confidential, and that it may not be used or shared except with the permission of the library.
Law enforcement agencies and officers may occasionally believe that library records contain information that would be helpful to the investigation of criminal activity. The American judicial system provides a mechanism for seeking release of such confidential records: a court order issued following a showing of good cause based on specific facts by a court of competent jurisdiction. Libraries should make such records available only in response to properly executed orders.
The American Library Association affirms that rights of privacy are necessary for intellectual freedom and are fundamental to the ethics and practice of librarianship.
1 Court opinions establishing a right to receive information in a public library include Board of Education. v. Pico, 457 U.S. 853 (1982); Kreimer v. Bureau of Police for the Town of Morristown, 958 F.2d 1242 (3d Cir. 1992); and Reno v. American Civil Liberties Union, 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997).
2 See in particular the Fourth Amendment’s guarantee of “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,” the Fifth Amendment’s guarantee against self-incrimination, and the Ninth Amendment’s guarantee that “[t]he enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.” This right is explicit in Article Twelve of the Universal Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” See: http://www.un.org/Overview/rights.html. This right has further been explicitly codified as Article Seventeen of the International Covenant on Civil and Political Rights, a legally binding international human rights agreement ratified by the United States on June 8, 1992. See: http://www.unhchr.ch/html/menu3/b/a_ccpr.htm.
3 Ten state constitutions guarantee a right of privacy or bar unreasonable intrusions into citizens’ privacy. Forty-eight states protect the confidentiality of library users’ records by law, and the attorneys general in the remaining two states have issued opinions recognizing the privacy of users’ library records. See: State Privacy Laws.
4 Cases recognizing a right to privacy include: NAACP v. Alabama, 357 U.S. 449 (1958); Griswold v. Connecticut 381 U.S. 479 (1965); Katz v. United States, 389 U.S. 347 (1967); and Stanley v. Georgia, 394 U.S. 557 (1969). Congress recognized the right to privacy in the Privacy Act of 1974 and Amendments (5 USC Sec. 552a), which addresses the potential for government’s violation of privacy through its collection of personal information. The Privacy Act’s “Congressional Findings and Statement of Purpose” states in part: “the right to privacy is a personal and fundamental right protected by the Constitution of the United States.” See: http://caselaw.lp.findlaw.com/scripts/ts_search.pl?title=5&sec=552a.
5 The phrase “personally identifiable information” was established in ALA policy in 1991. See: “Policy Concerning Confidentiality of Personally Identifiable Information about Library Users.” Personally identifiable information can include many types of library records, including: information that the library requires an individual to provide in order to be eligible to use library services or borrow materials, information that identifies an individual as having requested or obtained specific materials or materials on a particular subject, and information that is provided by an individual to assist a library staff member to answer a specific question or provide information on a particular subject. Personally identifiable information does not include information that does not identify any individual and that is retained only for the purpose of studying or evaluating the use of a library and its materials and services. Personally identifiable information does include any data that can link choices of taste, interest, or research with a specific individual.
6 Article Eleven of the Code of Ethics for Librarians (1939) asserted that “It is the librarian’s obligation to treat as confidential any private information obtained through contact with library patrons.” See: Code of Ethics for Librarians (1939). Article Three of the 1995 Code states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted.”
7 See these ALA Policies: “Access for Children and Young Adults to Nonprint Materials”; “Access to Library Resources and Services for Minors”; “Freedom to Read”; “Libraries: An American Value”; the newly revised “Library Principles for a Networked World”; “Policy Concerning Confidentiality of Personally Identifiable Information about Library Users”; “Policy on Confidentiality of Library Records”; “Suggested Procedures for Implementing Policy on the Confidentiality of Library Records.”
8 Adopted June 18, 1948; amended February 2, 1961, and January 23, 1980; inclusion of “age” reaffirmed January 23, 1996, by the ALA Council.
9 Existing ALA Policy asserts, in part, that: “The government’s interest in library use reflects a dangerous and fallacious equation of what a person reads with what that person believes or how that person is likely to behave. Such a presumption can and does threaten the freedom of access to information.” “Policy Concerning Confidentiality of Personally Identifiable Information about Library Users.”
10 See: “Guidelines for the Development and Implementation of Policies, Regulations and Procedures Affecting Access to Library Materials, Services and Facilities.”
Adopted June 19, 2002, by the ALA Council; amended on July 1, 2014.
Why Privacy and Confidentiality Are Important
Privacy is essential to the exercise of free speech, free thought, and free association (see Privacy: An Interpretation of the Library Bill of Rights and Questions and Answers on Privacy and Confidentiality; and George Christian Urges Congress to Reconsider Parts of the USA PATRIOT Act).
As Bruce Schneier notes in The Eternal Value of Privacy:
For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that—either now or in the uncertain future—patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.
Confidentiality of library records is a core value of librarianship (see Policy on Confidentiality of Library Records and Suggested Procedures for Implementing Policy on Confidentiality of Library Records). One cannot exercise the right to read if the possible consequences include damage to one’s reputation, ostracism from the community or workplace, or criminal penalties. Choice requires both a varied selection and the assurance that one’s choice is not monitored.
For libraries to flourish as centers for uninhibited access to information, librarians must stand behind their users’ right to privacy and freedom of inquiry (see Resolution on the Retention of Library Usage Records, RFID in Libraries: Privacy and Confidentiality Guidelines, and State Privacy Laws regarding Library Records).
Just as people who borrow murder mysteries are unlikely to be murderers, so those seeking information about terrorism are unlikely to be terrorists (see Resolution on the USA Patriot Act and Related Measures That Infringe on the Rights of Library Users, Resolution Reaffirming the Principles of Intellectual Freedom in the Aftermath of Terrorist Attacks, and Resolution on the Terrorism Information Awareness Program). Assuming a sinister motive based on library users’ reading choices makes no sense and leads to fishing expeditions that both waste precious law enforcement resources and have the potential to chill Americans’ inquiry into current events and public affairs (see Freedom to Read Statement).
The right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others. Confidentiality relates to the possession of personally identifiable information, including such library-created records as closed-stack call slips, computer sign-up sheets, registration for equipment or facilities, circulation records, Web sites visited, reserve notices, or research notes.
What is the difference between privacy and confidentiality?
In a library, the right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others. Confidentiality exists when a library is in possession of personally identifiable information (see “What is personally identifiable information” below) about users and keeps that information private on their behalf. Confidentiality is a library’s responsibility. This responsibility is assumed when library procedures create records such as closed-stack call slips, computer sign-up sheets, registration for equipment or facilities, circulation records, what Web sites were visited, reserve notices, or research notes.
In protecting the privacy rights and the confidentiality rights of library users, librarians should limit the degree to which personally identifiable information is monitored, collected, disclosed, and distributed.
For ALA’s privacy policies and Privacy: An Interpretation of the Library Bill of Rights, see the Intellectual Freedom Manual, latest edition, and the Web site, “Privacy and Confidentiality.”
What is “personally identifiable information?” Why is it such a wordy phrase?
“Personally identifiable information” (PII) seems to have become the generally accepted language because it covers a greater range than “personal identification,” such as a driver’s license. The phrase has been in use in ALA policy since the 1991 adoption of the Policy Concerning Confidentiality of Personally Identifiable Information about Library Users.
PII connects you to what you bought with your credit card, what you checked out with your library card, and what Web sites you visited where you picked up cookies. More than simple identification, PII can build up a picture of your tastes and interests —a dossier of sorts, though crude and often inaccurate. While targeted advertising is the obvious use for PII, some people would use this information to assess your character, decide if you were a security risk, or embarrass you for opposing them. Because of the chilling effect that such scrutiny can have on open inquiry and freedom of expression, libraries and bookstores have long resisted requests to release information that connects individual persons with specific books.
If there is no reasonable expectation of privacy in a public place, how can anyone expect privacy in a library?
A library cannot be responsible for someone being seen or recognized in a library, but should take steps to protect user privacy whenever possible. That is, in a library, a user’s face may be recognized, but that does not mean that the subject of the user’s interest must also be known. Library buildings, interior design, and functions can be planned to preserve privacy of inquiry, even while the user’s presence and behavior remain observable. Thus, both safety and privacy are maintained. To the greatest extent possible, the user should be able to work independently, both to afford privacy and to reduce the quantity of confidential records for which the library must be responsible.
What about the rights of staff, volunteers, and trustees?
Privacy: an Interpretation of the Library Bill of Rights, like the Library Bill of Rights itself, addresses the rights of library users. As such, this latest Interpretation does have implications for staff, volunteers, and trustees. Librarians involved in training volunteers, new employees, or trustees should inform them of the requirements that they not abuse confidentiality and that they protect library users rights of privacy. When staff are themselves library users, they are entitled to equal protection of their privacy and confidentiality of their records as library users.
If users have rights and librarians have responsibilities, don’t users also have responsibilities to protect their own privacy?
Privacy: an Interpretation of the Library Bill of Rights, like the Library Bill of Rights itself, addresses the rights of library users. Text is included in this latest Interpretation about the right of the user to be informed of library policy and practices that create choices for the user about personal privacy.
Librarians should educate the public, through a variety of methods, about information and tools that can help to preserve privacy or protect the confidentiality of personally identifiable information. In each library transaction in which an individual is asked to divulge personally identifiable information, library staff need to ensure that the individual is making an informed choice. Librarians should clarify any trade-offs between greater convenience and greater privacy. Users also need to understand their own responsibility to respect each one another’s privacy.
Does privacy include a right to avoid exposure to unwanted images?
Protecting privacy in the library setting ensures open inquiry without fear of having one’s interests observed by others. Ensuring user privacy not only benefits the user, but also those who prefer not to see what other users view. When there is a conflict between the right of individuals to view constitutionally protected speech and the sensibilities of unwilling viewers, free expression rights have generally prevailed in the Courts unless unwilling viewers are unable to avert their eyes. Libraries may address the concerns of unwilling viewers in a number of different ways, including the strategic placement of workstations and the use of devices such as privacy screens or recessed monitors.
What role does education play in protecting patron privacy?
The library should have a continuing training plan to educate staff, trustees, volunteers, and contract workers about library privacy principles, policies and procedures, and library staff’s legal and ethical responsibilities as custodians of personally identifiable information. It is important that all concerned understand that this responsibility includes avoiding any inferences about users based on their library use.
Library staff should also be informed of their responsibility to cooperate with other organizations that work to protect privacy and challenge intrusions.
Librarians must educate the public through a variety of learning methods that provide the information and tools individuals need to protect their privacy and the confidentiality of their own personally identifiable information. For support in this area, see the “Privacy and Confidentiality” section of the ALA Office for Intellectual Freedom’s Web site.
I know people can be suspicious of what bureaucrats might do with personal information, but I’m a librarian — can’t people just trust me?
While we librarians don’t often think of ourselves as government bureaucrats, members of the public may see us as authorities just like a uniformed police officer or a robed judge. In fact, staff in publicly funded libraries are part of government and are constrained by all the laws that restrict the power of government. One of the lessons learned on the way to democracy was that no matter how nice the current office holder may be, someday someone else may try to abuse the position. Laws and institutional policies are among the ways we make sure that we aren’t totally dependent on the character of the person in the job. Especially when new technology makes issues look different, policies can provide guidance and strength. By establishing strong privacy and confidentiality policies, libraries can protect staff from pressure to violate users’ rights.
Protection of Privacy and Library Records
What is a Privacy Audit and whose responsibility is it?
A privacy audit is a technique for assuring that an organization’s goals and promises of privacy and confidentiality are supported by its practices, thereby protecting confidential information from abuse and the organization from liability and public relations problems. An audit ensures that information processing procedures meet privacy requirements by examining how information about customers and employees is collected, stored, shared, used and destroyed. Privacy auditing is a process, not a one-time solution, as services, data needs, and technology change. A designated Privacy Officer may lead the audit, but all stakeholders and aspects of privacy need to be represented, from information technology to public relations. The audit process needs to be capable of dealing with the full extent of the information system. When a library is part of a larger organization that is conducting a privacy audit, specific library issues and needs must be included.
The audit process begins by evaluating the organization’s existing policies and procedures for legality and consistency with the organization’s mission and image. When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary. The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects. The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information. Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical. The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed.
Coyle, Karen. 2002. “Privacy and Library Systems Before & After 9/11.” (last accessed December 15, 2004).
Enright, Keith P. . “Privacy Audit Checklist.” (last accessed December 15, 2004).
Flaherty, David H. 1998. “How To Do A Privacy And Freedom Of Information Act Site Visit.” David H. Flaherty. (last accessed December 15, 2004).
Jerskey, Pamela, Ivy Dodge, Sanford Sherizen. . “The Privacy Audit: a Primer.” (last accessed December 15, 2004).
Matis, Michael. 2002. “The Code of Librarianship: Ethics and Information Architecture.” (last accessed December 15, 2004).
Texas Department of Information Resources. 2000. “Privacy Issues Involved in Electronic Government.” (last accessed December 15, 2004).
Can libraries use social security numbers (SSNs) in patron databases or for other means of uniquely identifying our users?
SSNs are not entirely random numbers: the first three digits indicate in which state the number was issued, and the next two numbers indicate the order in which the SSN was issued in each area. Only the last four numbers are randomly generated. Thus, even the disclosure of an SSN without further action does divulge private information.
Some states restrict the use of social security numbers to circumstances explicitly authorized by law, particularly for the reporting of income for employees. Section 7 of the Federal Privacy Act of 1974 provides that any agency requesting an individual to disclose his or her SSN must “inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it.” The Family Educational Rights and Privacy Act (FERPA) requires publicly-funded schools to obtain written consent for the release of personally identifiable information, which courts have ruled includes SSNs. The widespread use of SSNs by public and private agencies had created a dual threat of fraud victimization and the invasion of privacy, by linking significant amounts of personal and financial information through a single number. In November 2004 the GAO noted that “. . . it is clear that the lack of a broad, uniform policy allows for unnecessary exposure of personal Social Security numbers.”
Libraries have long used SSNs to trace patrons who have outstanding fines or overdue materials, often through collection agencies. In fact, the current state of internet technology often allows an individual to be located without the use of an SSN. Libraries that choose to use SSNs in patron databases or to identify users should:
inform patrons whether providing their SSNs is mandatory or voluntary, and under what statutory authority the SSNs are solicited;
inform patrons of the purpose for which SSNs will be used;
use encryption to protect SSNs within patron databases, and;
investigate other methods of uniquely identifying patrons and tracing those who have outstanding fines or overdue materials.
EPIC. Social Security Number (SSN) Privacy Page (last accessed December 15, 2004).
Family Educational Rights and Privacy Act (FERPA) (last accessed November 19, 2004).
Governmental Accounting Office. Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards, GAO-05-59, November 9, 2004 (last accessed November 19, 2004).
Privacy Act of 1974 and Amendments (as of Jan 2, 1991) (last accessed November 19, 2004).
Privacy Rights Clearinghouse. “Your Social Security Number: How Secure Is It?” (last accessed December 15, 2004).
Sample library policies:
Maine State Library. “Note on Use of Social Security Numbers as ID Number.”
College of William & Mary. Earl Gregg Swem Library. “Faculty Circulation Services.”
Are there special challenges created for library administration by digital patron records?
Any database of personally identifiable information is a potential target for computer crime and identity theft. Data security must be planned to protect both the library itself and its promise of confidentiality, and to ensure the thorough removal of patron records as soon as each ceases to be needed. Library administration should seek ways to permit in-house access to information in all formats without creating a data trail. Library policies should clearly state the purposes for which users’ personally identifiable information is needed; these records should be deleted as soon as the original purpose for collection has been satisfied.
In general, acquiring the least amount of personally identifiable information for the shortest length of time reduces the risk of unwanted disclosure. The library should also invest in appropriate technology to protect the security of any personally identifiable information while it is in the library’s custody, and should ensure that aggregate data has been stripped of personally identifiable information.
In order to assure their obligations of confidentiality, libraries should implement written policies governing data retention and dissemination of electronic records. These policies should affirm the confidentiality of information about library users and their use of all library materials.
What if our library or institutional policy requires us to be closely involved with or closely monitoring our library users?
In all libraries, it is the nature of the service rather than the type of the library that should dictate any gathering of personally identifiable information. Some common library practices necessarily involve close communication with—or monitoring of—library users. Services such as bibliographic instruction, reference consultation, teaching and curriculum support in school libraries, readers’ advice in public libraries, and preservation of fragile or rare library materials in special collections libraries are just a few instances of services that require library staff to be aware of users’ information-access habits. As part of serving the user, it is often necessary for staff to consult with each other. Staff must be careful to conduct such conversations privately and keep strictly to the purpose. But in all types of libraries, any such compromising of user privacy by library staff carries with it an ethical and professional (and often legal) obligation to protect the confidentiality of that personally identifiable information. Most important, all gathering of personally identifiable information should be done in the interests of providing, or improving, particular library services.
What else besides library records might compromise user privacy?
It is inevitable that library staff will recognize users. It is also necessary that staff be aware of activity and behavior inside the library to ensure that users’ needs are met and for security purposes. This knowledge should not be put to any purpose other than service to library users.
Does the library’s responsibility for user privacy and confidentiality extend to licenses and agreements with outside vendors and contractors?
Most libraries conduct business with a variety of vendors in order to provide access to electronic resources, to acquire and run their automated systems, and in some instances, to enable access to the Internet. Libraries need to ensure that contracts and licenses reflect their policies and legal obligations concerning user privacy and confidentiality. Whenever a third party has access to personally identifiable information, the agreements need to address appropriate restrictions on the use, aggregation, dissemination, and sale of that information, particularly information about minors. In circumstances in which there is a risk that personally identifiable information may be disclosed, the library should warn its users.
How does the library’s responsibility for user privacy and confidentiality relate to the use by library users of third party services in accessing their own circulation records?
Free third-party services are now available that remind library users of due dates and circulation fines via e-mail or RSS feeds. Libraries should advise users about the risks associated with providing library card numbers, passwords, or other library account information to any third party. These risks include changes in the privacy policies of the third-party service without customer notification, and disclosure of the user’s library circulation records or other personally identifiable information, whether such disclosure is inadvertent or purposeful. Third parties are not bound by library confidentiality statutes or other laws protecting the privacy of user records. For these reasons, neither the library nor the library user can be certain that confidentiality will be adequately protected.
Are privacy rights of minors the same as those of adults? What information about a minor’s use of the library should be kept confidential and what may be released to parents?
The rights of minors vary from state to state. Libraries may wish to consult the legal counsel of their governing authorities to ensure that policy and practice are in accord with applicable law. In addition, the legal responsibilities and standing of library staff in regard to minor patrons differ substantially in school and public libraries. In all instances, best practice is to extend to minor patrons the maximum allowable confidentiality and privacy protections.
Parents are responsible not only for the choices their minor children make concerning the selection of materials and the use of library facilities and resources, but also for communicating with their children about those choices. Librarians should not breach a child’s confidentiality by giving out information readily available to the parent from the child directly. Libraries should take great care to limit the extenuating circumstances in which they will release such information.
Parental responsibility is key to a minor’s use of the library. Notifying parents about the library’s privacy and confidentiality policies should be a part of the process of issuing library cards to minors. In some public libraries, the privacy rights of minors may differ slightly from those of adults, often in proportion to the age of the minor. The legitimate concerns for the safety of children in a public place can be addressed without unnecessary invasion of minors’ privacy while using the library.
The rights of minors to privacy regarding their choice of library materials should be respected and protected. More information on the privacy rights of children can be found on the OIF’s page “Privacy Resources for Librarians, Library Users, and Families.”
This new Interpretation of the Library Bill of Rights is intended to reaffirm and clarify the long-standing commitment of librarians to protect the privacy rights of our users, regardless of the format or medium of information in use. This commitment has not changed in the era of the World Wide Web. In fact, it has only strengthened in the years since the Internet was introduced into America’s libraries. See for example Access to Electronic Information, Services, and Networks , in which ALA reaffirmed that “Users have both the right of confidentiality and the right of privacy.”
Many non-library Web sites now have privacy policies that explain whether personally identifiable information is collected, how it is used if it is collected, and whether they sell or share this information to third parties. Such policies often explain how “cookies” are placed on hard drive and how they are used to track Web surfing. The privacy policies on governmental Web sites—including governmental library sites—may be covered by applicable local, state, and federal laws. However, regardless of whether such laws are in place or not, libraries of all types—not just those that are publicly funded—need policies outlining the protections in place governing the online and offline privacy and confidentiality rights of library users.
Links to selected sample library privacy policies can be found at Privacy Resources for Librarians, Library Users, and Families. In addition, Chapter 2, part V, of the Intellectual Freedom Manual (latest edition) discusses the process involved in developing a confidentiality policy. See also, “Developing a Confidentiality Policy.”
What about additional records kept by libraries for the purpose of serving patrons with special needs?
If libraries create additional records for special purposes, the same responsibility to maintain the confidentiality of those records applies. However, libraries that choose to keep such information on an ongoing basis acquire a correspondingly greater responsibility to maintain the ongoing confidentiality of that information. Policies and procedures should address the collection, retention, and disclosure of records in any format that contain personally identifiable information in compliance with statutory requirements. Libraries should also apply the Fair Information Practice Principles: Notice, Consent, Access, Security and Enforcement. When complying with ALA’s Library Services for People with Disabilities Policy, all attempts should be made to protect the privacy and confidentiality of library users with disabilities.
What about smart cards, or ID cards that use biometric enhancements? Won’t they help protect privacy?
Smart cards are getting a lot of attention for their ability to store personal data for a variety of applications. With the best intentions, government agencies sometimes propose sharing data on people who receive government services. Library policies on confidentiality should state clearly that personally identifiable information collected by the library will not be shared with any other agency or organization unless required by a court order. If agencies are jointly issuing a smart card, library data must be partitioned with no leakage to other agencies.
The more agencies using a shared card, the greater the need for strong identification confirmation. Various biometrics, from photographs to fingerprints to iris scans, are proposed to ensure that identification cards are authentic. This raises correspondingly greater risks that tampering with the encoding of identification will affect every aspect of an individual’s life. Biometrics can offer increased convenience, as in the suggestion of children checking out books by thumb print, but the risks must be carefully weighed. Libraries have a responsibility to invite public discussion on the pros and cons of identification technology proposals. The following URLs consider various aspects of new identification card technology:
American Library Association. Resolution on Privacy and Standardized Driver’s Licenses and Personal Identification Cards (adopted January 19, 2005; last accessed February 2, 2005). Barnes, Bill. 2001. “The National ID Card: If They Build it, Will it Work?” Slate. (last accessed December 15, 2004).
Computer Professionals for Social Responsibility. 2002. “National Identification Schemes: Links to Resources.” (last accessed December 15, 2004)
Electronic Privacy Information Center. 2002. “National ID Cards.” (last accessed December 15, 2004)
Ellison, Larry. 2001. “Smart Cards: Digital IDs Can Help Prevent Terrorism,” Wall Street Journal, Monday, October 8, 2001, (last accessed December 15, 2004)
Garfinkel, Simson. 2002. “Identity Card Delusions,” Technology Review, April 2002, (last accessed December 15, 2004)
Glasner, Joanna. 2001. “Linking Records Raises Risks.” Wired News, April 20, 2001, (last accessed December 15, 2004)
Ham, Shane and Robert D. Atkinson. 2002. “Frequently Asked Questions about Smart ID Cards.” Progressive Policy Institute. (last accessed December 15, 2004)
Smart Card Basics. “A sponsored site brought to you by a number of companies in the smart card industry.” (last accessed January 24, 2005)
Wylie, Margie. 2001. “Database Flaws Could Hamper Any National ID System, Experts Warn.” Newhouse News Service. (last accessed December 15, 2004)
What about data encryption?
Some privacy rights advocates encourage increased use of data encryption as a method for enhancing privacy protection. Encrypted data requires others to use a pre-defined electronic “key” to decipher the contents of a message, file, or transaction. While not yet in widespread use by individuals, data encryption is commonly used in online banking and commerce. Libraries should negotiate with vendors to encourage the use of such technology in library systems (e.g., in the document deliver, saved searches, and email features now offered by many OPAC vendors). Whenever possible, libraries should consider making encryption tools available to library users who are engaging in personalized online transactions or communications.
Center for Democracy and Technology Resource Library: Encryption. (last accessed March 4, 2005)
CERT Coordination Center List of Security Tools. Revised June 2001. (last accessed March 4, 2005)
Electronic Frontier Foundation Encryption Archive. (last accessed March 4, 2005)
Electronic Privacy Information Center Cryptography Policy. Revised October 2001. (last accessed March 4, 2005)
Electronic Privacy Information Center Online Guide to Practical Privacy Tools. Updated March 2005. (last accessed March 4, 2005)
MyCrypto.net – Encryption, Privacy and Internet Security. (last accessed March 4, 2005)
Our library has been using a lot of new technologies in recent years. How can we stay on top of all the privacy concerns?
Every technology since fire can be used for both good and evil. It is the responsibility of librarians to establish policies to prevent “function creep.” As much as any threat or promise to privacy posed by new technologies, it is attention and commitment to fundamental principles of data security that may best ensure that user rights to privacy and confidentiality are not threatened through their use of library services. To help define and assess your local data security practices, consider reviewing these guidelines:
Fact Sheet 12: Responsible Information-Handling. Utility Consumers’ Action Network/Privacy Rights Clearinghouse. Revised May 2002. (last accessed May 27, 2005)
Infopeople Project How-To Guides: Library Computer and Network Security. Updated November 2004. (last accessed May 27, 2005)
My library is considering implementing a Radio Frequency Identification (RFID) system for circulation and stacks maintenance. What are the implications for patron privacy of such systems?
Some libraries have already implemented RFID; others are waiting until some of the industry technical standards and privacy implications have been better resolved. ALA has approved RFID Privacy Principles that encourage libraries to adopt and enforce privacy policies and discourage inclusion of personal information on RFID tags. When considering, selecting and implementing RFID, libraries should safeguard user privacy by consulting ALA’s RFID in Libraries: Privacy and Confidentiality Guidelines in order to adopt best practices to protect privacy and confidentiality. Additional resources are also available:
ALA. Resolution on Radio Frequency Identification (RFID) Technology and Privacy Principles. January 19, 2005.
ALA Library. “Fact Sheet 25 – RFID: A Brief Bibliography.”
ALA Office for Intellectual Freedom. “RFID: Radio Frequency IDentification Chips and Systems.”
Ayre, Lori Bowen, The Galecia Group. “Position Paper: RFID and Libraries. August 19, 2004.”
Book Industry Study Group. “BISG Policy Statement #002: RFID – Radio Frequency Identification Privacy Principles. Approved : September 23, 2004.”
E-list: “RFID_LIB A forum for discussion of the uses and implications of using RFID technology in libraries.”
Electronic Frontier Foundation. “Radio Frequency Identification (RFID).”
Electronic Privacy Information Center. “Radio Frequency Identification (RFID) Systems.”
Givens, Beth, Director of the Privacy Rights Clearinghouse. “RFID Implementation in Libraries: Some Recommendations for ‘Best Practices.'”
Library and Information Technology Association. “Technology and library users, an ongoing discussion. The Top Trends, Issue Two: RFID.” January 11, 2004.
Molnar, David and David Wagner. “Privacy and Security in Library RFID Issues, Practices, and Architectures.” (CCS’04, October 25-29, 2004, Washington, DC)
“RFID Position Statement of Consumer Privacy and Civil Liberties Organizations.” November 20, 2003.
Weblog: “RFID in Libraries.”
Can circulation or registration information be used for other library purposes, such as to generate mailing lists for fund-raising by the library or its Friends group?
Notice should be provided to all users of any library use of PII.
Any use of PII beyond circulation or administration should be authorized only on an opt-in basis. At the time of registration, users should be asked to opt-in to additional and specifically enumerated uses of their PII (e.g., for fund-raising appeals). The PII of those who decline to ‘opt-in’ should not made available for any additional uses.
Any time a library decides to extend use of PII in ways not already authorized, it must seek user opt-in. Libraries should presume that all non-responders wish to opt out of the new use.
What privacy rights do library employees enjoy in the workplace?
Employers have a legitimate interest in ensuring efficiency and productivity. Library management has an obvious further interest in ensuring that employee practices do not adversely effect user service or infringe on user rights, including user rights of privacy and confidentiality. But library employers who use electronic or video surveillance or engage in monitoring of computer, e-mail, or telephone use must carefully evaluate these practices in light of both legal requirements and the profession’s ethical commitment to upholding rights of privacy and confidentiality.
Legal issues: Few laws regulate employee monitoring in the private sector, although federal, state, and local government employees benefit from some degree of legal protection. However, some state public record and record retention laws may impact the degree to which employee personally identifiable information (PII) is kept confidential. Employee PII not covered by law or regulation must be kept confidential. Further, employees have a right to know what security and information management systems are in place to protect personnel records containing PII, and a right to a clear enumeration of the circumstances under which such information may be provided to third parties. Library policy should call for the release of PII to law enforcement requests only when those requests come in the form of a court order from a court of competent jurisdiction.
Monitoring: In many libraries, employees are required to sign Internet and computing use agreements that differ from the policies extended to library users. However, if a library intends to engage in monitoring of staff workstations or work spaces, it should give notice through a written policy providing:
notice of these practices to employees
notice to the public if any staff-user interactions (e.g., virtual reference) are subject to monitoring or recording; and both redaction of PII from and regular purging of all such records
notice to employees if their social security numbers are used as unique identifiers in personnel or other records
employee access to all PII, including any collected through monitoring, and the right to dispute and delete inaccurate data
no monitoring of areas designed for employee health or comfort
no collection of data not specifically related to work performance
restrictions on PII disclosure to third parties without employee consent
Staff with access to employee PII: All staff and any others with access to employee PII must understand they are not to look at any stored information without prior authorization to do so, and in accordance with written policies; and that if they accidentally see any such data (such as electronic monitoring logs, e-mail subject lines, file names, etc.) they are bound by confidentiality guidelines.
Staff use of library resources: All staff use of library resources or public access workstations that is conducted outside of work hours and/or is not directly job-related should be covered in the same way that any library user’s privacy and confidentiality is protected.
For more information on employee privacy rights, and on policy writing to protect those rights, see:
ACLU. Privacy in America: Electronic Monitoring. (Oct. 22, 2003).
ACLU. Through the Keyhole. (July 26, 1998).
EPIC. Workplace Privacy Page. (Aug. 3, 2004).
Privacy Rights Clearinghouse. Fact Sheet 7: Workplace Privacy. (Rev. Sept. 2002).
| Top |
What if law enforcement requests disclosure of library records? What if laws applicable to my library require the disclosure of some or all library records or other personally identifiable information without a court order?
Library policies must not violate applicable federal, state, and local laws. However, in accordance with Article IV of the Library Bill of Rights, librarians should oppose the adoption of laws that abridge the privacy rights of any library user.
Forty-eight states have statutes that protect the confidentiality of library records. The other two have attorneys general opinions that support the confidentiality of library records. For your state statute or opinion, see State Privacy Laws regarding Library Records.
Library policy should require that law enforcement requests for any library record be issued by a court of competent jurisdiction that shows good cause and is in proper form. See ALA’s documents, Suggested Procedures for Implementing Policy on Confidentiality of Library Records and Policy on Confidentiality of Library Records. The library governing authority needs to be aware that privacy, and especially the privacy of children and students may be governed by additional state and federal laws. For example, on April 21, 2000, a new Federal law, the Children’s Online Privacy Protection Act (COPPA), went into effect. This law, designed to protect children’s privacy on the Internet, directly impacts how children access Internet content.
When creating its privacy policies, library governing authorities need to be fully aware of any such laws regarding disclosure and the rights of parents, and create policies accordingly. Faculty and school administrators do not have parental authority over students’ privacy.
Chapter 2, part V, of the Intellectual Freedom Manual (latest edition) discusses the process involved in developing a confidentiality policy. See also, “Developing a Confidentiality Policy.”
What about library staff’s civic duty to help law enforcement?
If staff observe illegal behavior, this should be reported to law enforcement. A library should have clear, written procedures for responding to criminal behavior, in addition to behavior that violates policy. Neither libraries, their resources, nor their staff should be used in any scheme to elicit and catch criminal behavior.
In the event of a request for information from a federal or local law enforcement agency, librarians should consult with their library administration and/or legal counsel before complying with such requests. Librarians should note that requests made under the USA PATRIOT Act (http://www.ala.org/alaorg/oif/usapatriotact.html) must come from the Federal Bureau of Investigation and are not valid if coming from state agencies. If a librarian is compelled to release information, further breaches of patron confidentiality will be minimized if the librarian personally retrieves the requested information and supplies it to the law enforcement agency. Otherwise, allowing the law enforcement agency to perform its own retrieval may compromise confidential information that is not subject to the current request.
Library policies protecting patron privacy and confidentiality are grounded in the profession’s ethical commitment to providing an atmosphere conducive to free intellectual inquiry. We must always remember that we have a unique and important contribution to make to society through this protection, and that as such we have a duty to make it a priority.
Are video or electronic surveillance cameras in libraries a violation of patron privacy?
Today’s sophisticated high-resolution surveillance equipment is capable of recording patron reading and viewing habits in ways that are as revealing as the written circulation records libraries routinely protect. When a library considers installing surveillance equipment, the administrative necessity of doing so must be weighed against the fact that most of the activity being recorded is innocent and harmless. Any records kept may be subject to FOI requests. Since any such personal information is sensitive and has the potential to be used inappropriately in the wrong hands, gathering surveillance data has serious implications for library management.
If the library decides surveillance is necessary, it is essential for the library to develop and enforce strong policies protecting patron privacy and confidentiality appropriate to managing the equipment, including routine destruction of the tapes in the briefest amount of time possible, or as soon as permitted by law.
What about security? Shouldn’t priority be given to the legitimate needs of security personnel who are responsible for protecting the physical safety of users and staff? And what about the needs of systems personnel to ensure security of computers and networks?
Those responsible for maintaining the security of the library, its users, staff, collections, computing equipment and networks all have a special obligation to recognize when they may be dealing with sensitive or private information. Like other staff whose jobs are not direct library service (custodians, guards, etc), those with access to personally identifiable information or to users’ personal files need to be informed of library ethics and of job expectations that they will not abuse confidentiality.
It is the responsibility of library staff to destroy information in confidential or privacy protected records in order to protect from unauthorized disclosure. Information that should be regularly purged or shredded includes personally identifiable information on library resource use, material circulation history, and security / surveillance tapes and logs. Libraries that use surveillance cameras should have written policies stating that the cameras are not to be used for anything else to avoid “function creep.” If the cameras create any records, the library must recognize its responsibility to protect their confidentiality like any other library record. This is best accomplished by purging the records as soon as their purpose is served.
Won’t privacy policies create a situation that will protect illegal acts?
All libraries are advised to have in place Patron Behavior policies as well as Internet Use policies. In both instances it should be clearly stated that engaging in any illegal act will not be permitted. A possible policy statement could be:
Any activity or conduct that is in violation of federal, state, or local laws is strictly prohibited on library premises.
Clear evidence of illegal behavior is best referred to law enforcement who know the processes of investigation that protect the rights of the accused.
Should staff be instructed to monitor library use by patrons to determine inappropriate or illegal behavior?
Library Patron Behavior policies and Internet Use policies should clearly state that illegal activity is prohibited. Staff should be carefully trained to deal with any illegal patron behavior that is apparent to them or has been brought to their attention. General monitoring by staff of patron content or use of library materials and resources in any format is inappropriate in all instances with the exception of observation for the purposes of protecting library property. Patron Behavior and Internet Use policies should clearly state all of the steps to be taken by staff when illegal behavior or activity in violation of the above policies is observed. The steps in these guidelines will vary from library to library and should be determined locally. Once again, clear evidence of illegal behavior is best referred to law enforcement who know the processes of investigation that protect the rights of the accused.